Login  Malware Removal & HijackThis Logs |
| |
 Search | |
| | Thread Tools |
12-Nov-2004, 01:03 PM
#1 | |||||
| Computer Hosed by SpyWare Stormer Hi, I installed a WiFi at home and my notebook got totally scrambled by at least two programs: 1) SpyWare Stormer 2) Error Guard. I tried cleaning it up with Ad-Aware and Spybot, also by SpyCleaner, but nothing helps. Please help! |
| |
12-Nov-2004, 01:09 PM
#2 | |||||
| go to here and download 'Hijack This!'. First make a folder on your computer in my documents called Hijackthis and then Unzip it to that folder. Then doubleclick the Hijackthis.exe. Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log. Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply. It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required, so do NOT fix anything yet. Someone here will be happy to help you analyze the results.
__________________ Derek Microsoft MVP/Windows - Security Thespykiller | Security & Privacy I am helping you, please help me by donating to help keep the Hedgehog Rescue Centre running |
12-Nov-2004, 06:24 PM
#3 | |||||
| hijackthis.log Logfile of HijackThis v1.98.2 Scan saved at 3:00:03 PM, on 11/12/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe c:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\System32\00THotkey.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\ltmoh\Ltmoh.exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\WINDOWS\System32\TFNF5.exe C:\WINDOWS\System32\TPWRTRAY.EXE C:\Program Files\TOSHIBA\TouchED\TouchED.Exe C:\PROGRA~1\NORTON~1\navapw32.exe C:\WINDOWS\System32\ezSP_Px.exe C:\toshiba\ivp\ism\pinger.exe C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe C:\WINDOWS\System32\twink64.exe C:\WINDOWS\System32\gklgtoir.exe C:\Program Files\VVSN\VVSN.exe C:\WINDOWS\Imr.exe C:\Program Files\Windows AdControl\WinAdCtl.exe C:\temp\salm.exe C:\Program Files\BullsEye Network\bin\bargains.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Windows AdControl\WinAdAlt.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Documents and Settings\Alex\Application Data\acao.exe C:\WINDOWS\System32\?ttrib.exe C:\Program Files\Web_Rebates\WebRebates1.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\explorer.exe C:\Program Files\Web_Rebates\WebRebates0.exe C:\Program Files\Web_Rebates\WebRebates0.exe C:\PROGRA~1\INTERN~1\iexplore.exe A:\NC.EXE E:\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hot-search.biz/index.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.hot-search.biz/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Alex\LOCALS~1\Temp\sp.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Alex\LOCALS~1\Temp\sp.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hot-search.biz/index.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.hot-search.biz/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Alex\LOCALS~1\Temp\sp.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Alex\LOCALS~1\Temp\sp.html R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Alex\LOCALS~1\Temp\sp.html R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.hot-search.biz/search.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Alex\LOCALS~1\Temp\sp.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.hot-search.biz/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.hot-search.biz/search.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.hot-search.biz/index.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.hot-search.biz/index.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file) O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing) O2 - BHO: BHO - {06CAD548-14DD-4fa3-9EA9-05F83C18CBD7} - C:\WINDOWS\System32\mspxs32.dll O2 - BHO: (no name) - {31D9602E-E660-50B9-D571-17550D867C6C} - C:\WINDOWS\System32\xdmp.dll O2 - BHO: (no name) - {3CD6372B-E03A-5FBD-D271-17550D867D36} - C:\WINDOWS\System32\dxwmda.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {7A12A061-1396-4A68-8D0D-920618F280DA} - C:\WINDOWS\system32\nca4mcy.dll (file missing) O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod.dll O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll O2 - BHO: Tubby - {9EAC0102-5E61-2312-BC2D-444C4C4F5552} - C:\WINDOWS\System32\DLL.dll O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll O2 - BHO: (no name) - {A78860C8-EE1A-46DF-A97F-E3E6D433E80B} - C:\WINDOWS\system32\8w8kce.dll O2 - BHO: (no name) - {CCF4CEC4-8667-4103-8B8B-669DEA67EB49} - C:\WINDOWS\System32\dkn.dll O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765724820} - C:\WINDOWS\System32\wer4820.dll O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file) O3 - Toolbar: Search toolbar - {9EAC0102-5E61-2312-BC2D-444C4C4F5552} - C:\WINDOWS\System32\DLL.dll O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file) O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20 O4 - HKLM\..\Run: [TFNF5] TFNF5.exe O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp O4 - HKLM\..\Run: [ErrorGuard] C:\Program Files\ErrorGuard\ErrorGuard.Exe O4 - HKLM\..\Run: [Spyware Stormer] C:\Program Files\Spyware Stormer\SpywareStormer.Exe O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile O4 - HKLM\..\Run: [oaksln] C:\WINDOWS\System32\gklgtoir.exe O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe" O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe O4 - HKLM\..\Run: [Win32 Explorer] C:\WINDOWS\System32\explorer32.exe O4 - HKLM\..\Run: [Win32SystemMonitor] C:\WINDOWS\System32\Rns.exe O4 - HKLM\..\Run: [Windows AdControl] C:\Program Files\Windows AdControl\WinAdCtl.exe O4 - HKLM\..\Run: [salm] c:\temp\salm.exe O4 - HKLM\..\Run: [uboryzud] C:\WINDOWS\uboryzud.exe O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\RunOnce: [vr9uu.exe] C:\WINDOWS\System32\vr9uu.exe /k O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1 O4 - HKCU\..\Run: [Osus] C:\Documents and Settings\Alex\Application Data\acao.exe O4 - HKCU\..\Run: [Sbxskijk] C:\WINDOWS\System32\?ttrib.exe O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe O4 - HKCU\..\Run: [Win32 Explorer] C:\WINDOWS\System32\explorer32.exe O4 - HKCU\..\Run: [Win32SystemMonitor] C:\WINDOWS\System32\Rns.exe O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZRxdm185YYUS O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll O9 - Extra button: Add to Restricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll O9 - Extra button: Add to Trusted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU) O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll O12 - Plugin for .m14: C:\Program Files\Internet Explorer\plugins\NPEdoc32.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O13 - DefaultPrefix: O13 - WWW Prefix: O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com O15 - Trusted Zone: *.blazefind.com O15 - Trusted Zone: *.clickspring.net O15 - Trusted Zone: *.flingstone.com O15 - Trusted Zone: *.mt-download.com O15 - Trusted Zone: *.my-internet.info O15 - Trusted Zone: *.searchbarcash.com O15 - Trusted Zone: *.searchmiracle.com O15 - Trusted Zone: *.skoobidoo.com O15 - Trusted Zone: *.slotch.com O15 - Trusted Zone: *.windupdates.com O15 - Trusted Zone: *.xxxtoolbar.com O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://c:\nosuch.mht!http://www.foxik.com/5/files.chm::/file.exe O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...4f880889783bc3 O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...tup1.0.0.8.cab O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/mini...ansporter.cab? O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwa...06_regular.cab O16 - DPF: {60261C06-81B0-4DE0-9313-E5BA203A64E9} (No description) - http://216.195.35.10/pdfmgr_s.cab O16 - DPF: {72D78A82-8953-67B4-4792-9C034B139753} - ms-its:mhtml:file://c:\nosuch.mht!http://www.foxik.com/chm/files.chm::/file.exe O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab O18 - Filter: text/html - {2C08F638-F7FF-429A-82E5-DE9953830075} - C:\WINDOWS\System32\dkn.dll O18 - Filter: text/plain - {2C08F638-F7FF-429A-82E5-DE9953830075} - C:\WINDOWS\System32\dkn.dll |
12-Nov-2004, 07:00 PM
#4 | ||||||
| bump |
12-Nov-2004, 10:28 PM
#5 | |||||
| Click here to download CWSinstall.exe. Click on the CWSinstall.exe file and it will install CWShredder. Close all browser windows, click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing. When it is finished restart your computer. Go here and download Ad-Aware SE. Install the program and launch it. First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files. From main window :Click Start then under Select a scan Mode tick Perform full system scan. Next deselect Search for negligible risk entries. Now to scan just click the Next button. When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next) Restart your computer. Then go here and download Spybot Search & Destroy. Install the program and launch it. Before scanning press Online and Search for Updates . Put a check mark at and install all updates. Click Check for Problems and when the scan is finished let Spybot fix/remove all it finds marked in RED. Restart your computer. Come back here and post another Hijack This log and we'll get rid of what's left.
__________________ If I have helped solve your problem, please Click Here and make a donation to help keep this great site running. 100% goes directly to this site. |
13-Nov-2004, 11:27 AM
#6 | |||||
| Second hijackthis logfile Last night I ran CWShredder, The Ad-Adware SE, the Spybot S&D, and then hijackthis, the logfile of which is listed after this message. I got the following message from CWShredder: "The following file could be part of CWS.Control.4 which uses random filenames. If the file displayed below has a filename that looks like a random string of characters, it should be deleted. CWShredder cannot determine it for you. If you are not sure, write down the filename, click "No" and ask someone for help, or post on the SpywareInfo forums. Is the filename random? C:\WINDOWS\conscorr.exe" I answered "No" and the file is still there. In the end of all this I thought there was noticable improvement: everything ran faster, the parasitic "spy detection" software still kept popping up right after rebooting, but was less persistent and once clicked off stayed off. But Windows Explorer still does not work. And then the computer started to reboot on its own: first, there would be a flash of some blue screen with white letters on it, then the machine would reboot. It happened several times at different stages in the session. Once I got a Microsoft window with a message: "The system has recovered from a serious error. A log of this error has been created. Error signature: BCCode:1000008e BCP1: C0000005 BCP2: 000001EE BCP3: F65D2CC8 BCP4: 00000000 OSVer: 5_1_2600 SP: 0_0 Product: 768_1 The log from the last hijackthis follows: Logfile of HijackThis v1.98.2 Scan saved at 8:57:24 PM, on 11/12/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe c:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\00THotkey.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\ltmoh\Ltmoh.exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\WINDOWS\System32\TFNF5.exe C:\WINDOWS\System32\TPWRTRAY.EXE C:\Program Files\TOSHIBA\TouchED\TouchED.Exe C:\PROGRA~1\NORTON~1\navapw32.exe C:\WINDOWS\System32\ezSP_Px.exe C:\toshiba\ivp\ism\pinger.exe C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe C:\Program Files\Apoint2K\Apntex.exe C:\WINDOWS\System32\twink64.exe C:\WINDOWS\Enp.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Documents and Settings\Alex\Application Data\acao.exe C:\WINDOWS\System32\?ttrib.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe C:\WINDOWS\System32\wuauclt.exe A:\NC.EXE E:\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hot-search.biz/index.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.hot-search.biz/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hot-search.biz/index.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.hot-search.biz/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.hot-search.biz/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.hot-search.biz/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.hot-search.biz/search.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.hot-search.biz/index.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.hot-search.biz/index.html R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file) O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file) O2 - BHO: BHO - {06CAD548-14DD-4fa3-9EA9-05F83C18CBD7} - C:\WINDOWS\System32\mspxs32.dll O2 - BHO: (no name) - {31D9602E-E660-50B9-D571-17550D867C6C} - C:\WINDOWS\System32\xdmp.dll O2 - BHO: (no name) - {3CD6372B-E03A-5FBD-D271-17550D867D36} - C:\WINDOWS\System32\dxwmda.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll O2 - BHO: Tubby - {9EAC0102-5E61-2312-BC2D-444C4C4F5552} - C:\WINDOWS\System32\DLL.dll O2 - BHO: (no name) - {A78860C8-EE1A-46DF-A97F-E3E6D433E80B} - C:\WINDOWS\system32\8w8kce.dll O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765724820} - C:\WINDOWS\System32\wer4820.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Search toolbar - {9EAC0102-5E61-2312-BC2D-444C4C4F5552} - C:\WINDOWS\System32\DLL.dll O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20 O4 - HKLM\..\Run: [TFNF5] TFNF5.exe O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp O4 - HKLM\..\Run: [ErrorGuard] C:\Program Files\ErrorGuard\ErrorGuard.Exe O4 - HKLM\..\Run: [Spyware Stormer] C:\Program Files\Spyware Stormer\SpywareStormer.Exe O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile O4 - HKLM\..\Run: [Win32SystemMonitor] C:\WINDOWS\System32\Fqd.exe O4 - HKLM\..\Run: [Windows AdControl] C:\Program Files\Windows AdControl\WinAdCtl.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\RunOnce: [vr9uu.exe] C:\WINDOWS\System32\vr9uu.exe /k O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1 O4 - HKCU\..\Run: [Osus] C:\Documents and Settings\Alex\Application Data\acao.exe O4 - HKCU\..\Run: [Sbxskijk] C:\WINDOWS\System32\?ttrib.exe O4 - HKCU\..\Run: [Win32SystemMonitor] C:\WINDOWS\System32\Fqd.exe O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE O9 - Extra button: Add to Restricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll O9 - Extra button: Add to Trusted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU) O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll O12 - Plugin for .m14: C:\Program Files\Internet Explorer\plugins\NPEdoc32.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com O15 - Trusted Zone: *.skoobidoo.com O15 - Trusted Zone: *.windupdates.com O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://c:\nosuch.mht!http://www.foxik.com/5/files.chm::/file.exe O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...tup1.0.0.8.cab O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/mini...ansporter.cab? O16 - DPF: {60261C06-81B0-4DE0-9313-E5BA203A64E9} (No description) - http://216.195.35.10/pdfmgr_s.cab O16 - DPF: {72D78A82-8953-67B4-4792-9C034B139753} - ms-its:mhtml:file://c:\nosuch.mht!http://www.foxik.com/chm/files.chm::/file.exe |
13-Nov-2004, 12:40 PM
#7 | |||||
| Go to Add/Remove programs and uninstall Spyware Stormer. Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked" R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hot-search.biz/index.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.hot-search.biz/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hot-search.biz/index.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.hot-search.biz/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.hot-search.biz/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.hot-search.biz/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.hot-search.biz/search.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.hot-search.biz/index.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.hot-search.biz/index.html R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file) O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file) O2 - BHO: BHO - {06CAD548-14DD-4fa3-9EA9-05F83C18CBD7} - C:\WINDOWS\System32\mspxs32.dll O2 - BHO: (no name) - {31D9602E-E660-50B9-D571-17550D867C6C} - C:\WINDOWS\System32\xdmp.dll O2 - BHO: (no name) - {3CD6372B-E03A-5FBD-D271-17550D867D36} - C:\WINDOWS\System32\dxwmda.dll O2 - BHO: Tubby - {9EAC0102-5E61-2312-BC2D-444C4C4F5552} - C:\WINDOWS\System32\DLL.dll O2 - BHO: (no name) - {A78860C8-EE1A-46DF-A97F-E3E6D433E80B} - C:\WINDOWS\system32\8w8kce.dll O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765724820} - C:\WINDOWS\System32\wer4820.dll O3 - Toolbar: Search toolbar - {9EAC0102-5E61-2312-BC2D-444C4C4F5552} - C:\WINDOWS\System32\DLL.dll O4 - HKLM\..\Run: [Spyware Stormer] C:\Program Files\Spyware Stormer\SpywareStormer.Exe O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile O4 - HKLM\..\Run: [Win32SystemMonitor] C:\WINDOWS\System32\Fqd.exe O4 - HKLM\..\Run: [Windows AdControl] C:\Program Files\Windows AdControl\WinAdCtl.exe O4 - HKLM\..\RunOnce: [vr9uu.exe] C:\WINDOWS\System32\vr9uu.exe /k O4 - HKCU\..\Run: [Osus] C:\Documents and Settings\Alex\Application Data\acao.exe O4 - HKCU\..\Run: [Sbxskijk] C:\WINDOWS\System32\?ttrib.exe O4 - HKCU\..\Run: [Win32SystemMonitor] C:\WINDOWS\System32\Fqd.exe O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE O15 - Trusted Zone: *.skoobidoo.com O15 - Trusted Zone: *.windupdates.com O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://c:\nosuch.mht!http://www.foxik.com/5/files.chm::/file.exe O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...etup1.0.0.8.cab O16 - DPF: {60261C06-81B0-4DE0-9313-E5BA203A64E9} (No description) - http://216.195.35.10/pdfmgr_s.cab O16 - DPF: {72D78A82-8953-67B4-4792-9C034B139753} - ms-its:mhtml:file://c:\nosuch.mht!http://www.foxik.com/chm/files.chm::/file.exe Restart to safe mode. How to start your computer in safe mode Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options". Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders" Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders" Click "Apply" then "OK" Now find and delete these files: C:\Documents and Settings\Alex\Application Data\acao.exe C:\WINDOWS\System32\twink64.exe C:\WINDOWS\System32\Fqd.exe C:\WINDOWS\System32\vr9uu.exe Delete these folders: C:\Program Files\Windows AdControl C:\Program Files\Spyware Stormer C:\Program Files\MyWebSearch Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder. Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder. Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK. Empty the Recycle Bin IMPORTANT!: I highly recommend that you go to Windows update and install all "Critical Updates and Service Packs" except for Service Pack 2 ASAP!. This will patch numerous security holes in IE and Windows. Many baddies get on your machine by taking advantage of these vulnerabilities. As your machine stands now it is wide open to attack from all sorts of nasties. You need to get these updates IMMEDITELY! Note: At this time I cannot and do not recommend that you install Service Pack 2 until you have read the info at the following links and are sure that it will not cause problems with your system: http://www.microsoft.com/windowsxp/u...nstallsp2.mspx http://support.microsoft.com/default...b;en-us;884130 http://support.microsoft.com/default.aspx?kbid=842242 http://support.microsoft.com/default...b;en-us;878474
__________________ If I have helped solve your problem, please Click Here and make a donation to help keep this great site running. 100% goes directly to this site. |
15-Nov-2004, 12:06 PM
#8 | |||||
| After I have done everything you instructed me to do things look much better. But there is still a remnant of spyware activities that didn't go away: I have 2 users set up, on my side it seems to be fine, all functions restored, but when I switch users and go to my wife's session, I see her desktop with black background (no original wallpaper), all icons highlighted and in the center of the desktop a lage window, announcing: "Warnihg! You are in danger ... etc." Also, my internet access is gone on both my desktop and notebook computers, but since only my notebook was affected by this spyware problem the Internet problem must be unrelated. Or is it? |
15-Nov-2004, 06:22 PM
#9 | |||||
| On your Wife's account go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security" or similar. Select that entry and click the "Delete" button. Click OK then Apply and OK. Also log in to her account and run Hijack This and post the log from her account.
__________________ If I have helped solve your problem, please Click Here and make a donation to help keep this great site running. 100% goes directly to this site. |
17-Nov-2004, 08:03 AM
#10 | |||||
| Followed your instructions but nothing changed. Here is th hijackthis logfile from my wife's user session: Logfile of HijackThis v1.98.2 Scan saved at 1:57:09 PM, on 11/16/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe c:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\00THotkey.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\ltmoh\Ltmoh.exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\WINDOWS\System32\TFNF5.exe C:\WINDOWS\System32\TPWRTRAY.EXE C:\Program Files\TOSHIBA\TouchED\TouchED.Exe C:\PROGRA~1\NORTON~1\navapw32.exe C:\WINDOWS\System32\ezSP_Px.exe C:\toshiba\ivp\ism\pinger.exe C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Apoint2K\Apntex.exe C:\WINDOWS\System32\Ubk.exe C:\Program Files\Messenger\msmsgs.exe C:\Documents and Settings\Eida\Application Data\acao.exe E:\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hot-search.biz/index.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.hot-search.biz/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Eida\LOCALS~1\Temp\sp.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Eida\LOCALS~1\Temp\sp.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Eida\LOCALS~1\Temp\sp.html R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.hot-search.biz/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.hot-search.biz/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.hot-search.biz/index.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/ O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20 O4 - HKLM\..\Run: [TFNF5] TFNF5.exe O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [Win32SystemMonitor] C:\WINDOWS\System32\Ubk.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Osus] C:\Documents and Settings\Eida\Application Data\acao.exe O4 - HKCU\..\Run: [Win32 Explorer] C:\WINDOWS\System32\explorer32.exe O4 - HKCU\..\Run: [Uiqcm] C:\WINDOWS\System32\?hkdsk.exe O4 - HKCU\..\Run: [Win32SystemMonitor] C:\WINDOWS\Ofc.exe O9 - Extra button: Add to Restricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll O9 - Extra button: Add to Trusted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll O12 - Plugin for .m14: C:\Program Files\Internet Explorer\plugins\NPEdoc32.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com O15 - Trusted Zone: *.blazefind.com O15 - Trusted Zone: *.clickspring.net O15 - Trusted Zone: *.flingstone.com O15 - Trusted Zone: *.mt-download.com O15 - Trusted Zone: *.my-internet.info O15 - Trusted Zone: *.searchbarcash.com O15 - Trusted Zone: *.searchmiracle.com O15 - Trusted Zone: *.skoobidoo.com O15 - Trusted Zone: *.slotch.com O15 - Trusted Zone: *.windupdates.com O15 - Trusted Zone: *.xxxtoolbar.com O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/mini...ansporter.cab? |
17-Nov-2004, 06:53 PM
#11 | |||||
| Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked" R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hot-search.biz/index.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.hot-search.biz/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Eida\LOCALS~1\Temp\sp.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Eida\LOCALS~1\Temp\sp.html R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Eida\LOCALS~1\Temp\sp.html R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.hot-search.biz/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.hot-search.biz/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.hot-search.biz/index.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank O4 - HKLM\..\Run: [Win32SystemMonitor] C:\WINDOWS\System32\Ubk.exe O4 - HKCU\..\Run: [Osus] C:\Documents and Settings\Eida\Application Data\acao.exe O4 - HKCU\..\Run: [Win32 Explorer] C:\WINDOWS\System32\explorer32.exe O4 - HKCU\..\Run: [Uiqcm] C:\WINDOWS\System32\?hkdsk.exe O4 - HKCU\..\Run: [Win32SystemMonitor] C:\WINDOWS\Ofc.exe O15 - Trusted Zone: *.blazefind.com O15 - Trusted Zone: *.clickspring.net O15 - Trusted Zone: *.flingstone.com O15 - Trusted Zone: *.mt-download.com O15 - Trusted Zone: *.my-internet.info O15 - Trusted Zone: *.searchbarcash.com O15 - Trusted Zone: *.searchmiracle.com O15 - Trusted Zone: *.skoobidoo.com O15 - Trusted Zone: *.slotch.com O15 - Trusted Zone: *.windupdates.com O15 - Trusted Zone: *.xxxtoolbar.com Restart to safe mode. How to start your computer in safe mode Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options". Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders" Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders" Click "Apply" then "OK" Now find and delete these files: C:\Documents and Settings\Eida\Application Data\acao.exe C:\WINDOWS\Ofc.exe C:\WINDOWS\System32\Ubk.exe C:\WINDOWS\System32\explorer32.exe C:\WINDOWS\System32\?hkdsk.exe ----> This is not a typo. The actual file name is ?hkdsk.exe. DO NOT delete chkdsk.exe. Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder. Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder. Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK. Empty the Recycle Bin Click here to download CWSinstall.exe. Click on the CWSinstall.exe file and it will install CWShredder. Close all browser windows, click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing. When it is finished restart your computer. Go here and download Ad-Aware SE. Install the program and launch it. First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files. From main window :Click Start then under Select a scan Mode tick Perform full system scan. Next deselect Search for negligible risk entries. Now to scan just click the Next button. When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next) Restart your computer.
__________________ If I have helped solve your problem, please Click Here and make a donation to help keep this great site running. 100% goes directly to this site. |
14-Dec-2004, 12:45 AM
#12 | |||||
| Spyware Stormer Removal Hi: I have a machine running Windows XP that somehow got Spyware Stormer installed. I would like to remove it. Can anyone suggest how to go about doing it? I have Ad-aware and Spybot search & destory installed which I use from time to time. I do not like and do not want Spyware stormer. I am attaching my hijack this log below. I would appreciate it if someone can give me suggestions on how to proceed. I also have (what might be) an unrelated question. My computer no longer seems to want to connect through a router/firewall. I can use DHCP and get an IP address and get on the internet when I directly connect to the cable modem. But if I go through the router, DHCP refuses to assign an IP address. I've tried IPCONfig/renew and release, but it gives me a message that access is denied. From what I understand this has to do with a corrupt winsock registry. I saw some suggestions online on how to fix it, but it has not helped. If there is anything in my "hijackthis" log that can help fix this I would really appreciate it Thanks -Suresh ------------------------------------------------------------------------ Logfile of HijackThis v1.98.2 Scan saved at 9:34:19 PM, on 12/13/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\ctfmon.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe C:\WINDOWS\System32\hphmon04.exe C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe c:\program files\mcafee.com\agent\mcagent.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe C:\WINDOWS\DvzCommon\DvzMsgr.exe C:\QUICKENW\bagent.exe C:\Program Files\Palm\HOTSYNC.EXE C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\System32\wini032.exe c:\windows\system32\csmss32.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\uju\Local Settings\Temp\Temporary Directory 2 for HijackThis.zip\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm R3 - Default URLSearchHook is missing O2 - BHO: (no name) - SOFTWARE - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_3.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_3.dll O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [Spyware Stormer] C:\Program Files\Spyware Stormer\SpywareStormer.Exe O4 - HKLM\..\Run: [MSNMGR] wini032.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [spoolsvr32] c:\windows\system32\csmss32.exe O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe O4 - HKLM\..\RunServices: [MSNMGR] wini032.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MSNMGR] wini032.exe O4 - HKCU\..\RunServices: [MSNMGR] wini032.exe O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE O4 - Global Startup: mscfg.exe O4 - Global Startup: hpoddt01.exe.lnk = ? O4 - Global Startup: officejet 6100.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\QUICKENW\bagent.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000 O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMPANION\MODULES\MESSMOD2\V4\YHEXBMES.DLL O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMPANION\MODULES\MESSMOD2\V4\YHEXBMES.DLL O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: RemindU - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm (file missing) (HKCU) O9 - Extra button: Dell Home - {90D7162F-5C08-4A00-B04B-6A5197462544} - http://www.dellnet.com (file missing) (HKCU) O12 - Plugin for .mu3: C:\Program Files\Internet Explorer\Plugins\NPMyrMus.dll O12 - Plugin for .mus: C:\Program Files\Internet Explorer\Plugins\NPMyrMus.dll O12 - Plugin for .myr: C:\Program Files\Internet Explorer\Plugins\NPMyrMus.dll O12 - Plugin for .myt: C:\Program Files\Internet Explorer\Plugins\NPMyrMus.dll O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/mini...ansporter.cab? O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-12.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab O16 - DPF: {5763F8E8-0DD7-4A0F-ADB0-9F64C8F2C349} (Pixami/Snapfish Upload UI Control) - http://www.snapfish.com/SnapfishUploader.cab O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...19/mcgdmgr.cab O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?319 O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - http://activex.microsoft.com/activex...te/sdkinst.cab |
| 
techguy.org/295565 |
| Smart Search |
Find your solution! |
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
| Thread Tools | |
| |
| You Are Using:  |
Advertisements do not imply our endorsement of that product or service. All times are GMT -5. The time now is 10:25 AM. Copyright © 1996 - 2010 TechGuy, Inc. All rights reserved. Powered by vBulletin, Copyright © 2000 - 2010, Jelsoft Enterprises Ltd. |  |
